IT Blogwatch: BYOD and shiny toys

Horrible Apple iOS virus; vectored via USB: WireLurker is 'new brand of threat' [u]

Plugging in your iPhone? Don't blindly trust Macs or chargers, even if you're not in China

wirelurker richard uten cc by
Richard Uten (cc:by)

IT Blogwatch: BYOD and shiny toys

Show More

According to researchers at Palo Alto Networks, the so-called WireLurker virus can infect your iPhone or iPad from a simple USB connection. Hundreds of thousands of users have been infected already, say researchers.

Apple says it's already fixed the problem, but independent infosec geeks say the company still has a long way to go, and that the problem isn't limited to China.

In IT Blogwatch, bloggers cut the cord.

Your humble blogwatcher curated these bloggy bits for your entertainment.

Calling it, "an impressive malware attack," Jeremy Kirk dox the warp and weft of this story: [You're fired -Ed.]

[It] revolves around infecting Mac OS X applications with “WireLurker,” which collects call logs, phone book contacts and other sensitive information. [It's] notable for how it leverages desktop Mac applications as part of the attack on iOS. [It] waits for when an iOS device is connected by a USB cable.

[It uses] a digital certificate that Apple issues to enterprise developers so they can run their own applications in-house that do not appear on the App Store [which] means iOS would allow [malware] to be installed. ... Apple could first revoke the enterprise digital certificate [and] issue an update to detect WireLurker.  MORE

And Sai Sachin R reports from Bangalore:

[It's] underscoring the increasing sophistication of attacks on iPhones and Mac computers. [WireLurker] can install third-party applications on regular, non-jailbroken iOS devices. ... Palo Alto Networks [saw] indications that the attackers were Chinese.

Apple, which...was notified a couple weeks ago, did not respond to requests for comment.  MORE

Data. We want it. Nicole Perlroth obliges:

In the last six months, Palo Alto Networks said 467 infected applications were downloaded over 356,104 times and “may have impacted hundreds of thousands of users.”

Typically, iOS users can download applications from third parties only if they have “jailbroken” their run software Apple has not authorized. With WireLurker, an infected application can reach a non-jailbroken phone...which is [the] researchers say WireLurker represents a “new brand of threat to all iOS devices.”  MORE

"FIRST!" cries Claud Xiao, the 马口:

Of known malware families distributed through trojanized / repackaged OS X applications, it is the biggest in scale we have ever seen...the first malware to automate generation of malicious iOS applications...the first known malware that can infect installed iOS applications similar to a traditional virus...the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices.

This malware combines a number of techniques to successfully realize a new brand of threat to all iOS devices. [It] exhibits complex code structure, multiple component versions, file hiding, code obfuscation and customized encryption to thwart anti-reversing.
  • Keep the iOS version on your device up-to-date
  • Do not accept [a] provisioning profile unless...your IT corporate help desk explicitly instructs you to do so
  • Do not pair your iOS device with untrusted or unknown computers ...
  • Avoid powering your iOS device through [untrusted] chargers...or unknown accessories ...
  • If you do jailbreak it, only use credible Cydia community sources

Meanwhile, Apple issued this brief statement, according to Jon Russell:

We are aware of malicious China, and we’ve blocked the identified apps.

As always, we recommend that users download and install software from trusted sources.  MORE

But Jonathan Zdziarski says that's not good enough, pointing out inherent flaws in the iOS design:

The bigger issue here is not WireLurker itself [it's] that the design of iOS’ pairing mechanism allows for more sophisticated variants of this approach to easily be weaponized...due to Apple’s lack of codesign pinning [and] how malicious software can abuse the pairing records of a desktop machine to install malware on an iOS device. ... [A] sophisticated attacker could easily incorporate a much more effective (and dangerous) attack like this.

What can Apple do to help prevent it? ... Have the phones do a better job of prompting the user. ... Disable “Enterprise” app installation entirely without an “Enterprise Mode.” ... Manage access to “Trusted Pairing Relationships” with devices the same way it manages access permissions for contacts. ... Lock out any third party application from piggybacking on these trusted relationships. ... Pin the bundle identifier so that it has to be signed with a specific entity’s cert. ... Have the operating system enforce access to specific hostnames only by specific bundle identifiers. ... Use the secure element in iOS devices to validate applications.

It would greatly behoove Apple to address this situation with more than a certificate revocation [because] this technique could be weaponized in the future. ... It would be a much better solution to address the underlying design issues.  MORE


You have been reading IT Blogwatch by Richi Jennings, who curates the best bloggy bits, finest forums, and weirdest websites… so you don't have to. Catch the key commentary from around the Web every morning. Hatemail may be directed to @RiCHi or Opinions expressed may not represent those of Computerworld. Ask your doctor before reading. Your mileage may vary. E&OE.

Copyright © 2014 IDG Communications, Inc.

Shop Tech Products at Amazon